The Ketje authenticated encryption scheme

Ketje is an authenticated encryption scheme based on Keccak-p. It takes as input a secret key and a nonce, then some associated data (or metadata) that are authenticated but not encrypted and finally some plaintext. It produces a cryptogram comprising the ciphertext and a tag authenticating both the metadata and the plaintext. The recipient holding the same secret key can decrypt the cryptogram and check whether it is authentic.

Ketje supports also the concept of sessions. Without having to input the key again and a new nonce, the communicating parties can keep on exchanging metadata-plaintext pairs. Each time, the tag authenticates the complete exchange of messages so far.

Ketje Jr and Ketje Sr aim at compact implementations in constrained environments, whereas Ketje Minor and Ketje Major are research ciphers that aim at high speed.

Technical details

SynopsisThe Ketje authenticated encryption scheme
Designed byGuido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer
ImplementsAn authenticated encryption scheme with associated data and support for sessions
ConstructionThe MonkeyWrap authenticated encryption mode on top of the MonkeyDuplex construction
PrimitiveThe Keccak-p[b, nr] permutations, with a twist
Parameterized byThe width of the permutation b and by the block size ρ
Instancewidthblock size
Ketje Jrb=200ρ=16
Ketje Srb=400ρ=32
Ketje Minorb=800ρ=128
Ketje Majorb=1600ρ=256
StatusThird-round candidate in the CAESAR competition

We define and document Ketje in the Ketje CAESAR submission v2.0.

The reference implementation of Ketje v2 is part of Keccak Tools. Further implementations can be found in the Keccak Code Package.